This is the White Rhino Security blog, an IT technical blog about configs and topics related to the Network and Security Engineer working with Cisco, Brocade, Check Point, and Palo Alto and Sonicwall. I hope this blog serves you well. -- May The Lord bless you and keep you. May He shine His face upon you, and bring you peace.

Saturday, May 30, 2015

Friday, May 29, 2015

Im on the fence still about SonicWall for SOHO. There is no way I would choose it over Check Point or Palo Alto, but for small offices, I guess I'm not opposed. It does do content filtering, which is good. I know most firewalls do, and they should at this point in the game. I have to say I have had good luck with the content filtering portion of the SonicWall. I guess I'm not sad with it. But again, for true enterprise level businesses, this is not what I would choose.

Thursday, May 28, 2015

I wanted to do a switch comparison between the newer Cisco 3850/3650 and the newer Brocade ICX 7450/7250 switches. I came up with a newer spreadsheet for myself and my sales guys, so that we could do quick comparisons between the newer products. So for this post, I thought I would compare a few performance differences between the Cisco 3850 and 3650 access switch as opposed to the Brocade ICX 7450 and 7250 access switches. Its always an interesting comparison when honestly looking at the performance specs. Here below is an "apples to apples" comparison of the most powerful switches of each of the series.

Wednesday, May 27, 2015

I have said many times in the past. Capsa is literally my best friend as a network troubleshooter. You can interview people all you want to figure out what the problem is, but Capsa saves me so much time in troubleshooting, that all I really need from a customer is what a "general" description of what the problem is.
If you are a network consultant and do not have Capsa, do yourself a favor. Save yourself time and money by getting this in your toolkit. Its built specifically for network engineers and troubleshooting purposes. Even if you just do network assessments, this will help you and your customers KNOW what is going on, on the network.
In my experience, I can tell you it has saved me time and money in troubleshooting networks. Not only that, but it has also given much needed information to my customers, even when I was not troubleshooting anything. I do network assessments regularly when time permits. I want to make sure my customers know what is going on, on their network. Capsa is one way I do this.
Why do I tell you about Capsa so much? Because I want you to have the ability to be a great network engineer.

Saturday, May 23, 2015

Friday, May 22, 2015

There are some edge devices that don't necessarily make it easy to troubleshoot vpns. So a packet capture is in order. In this scenario, something isn't right on the vpn. I cant get traffic across from one side to the other. It appears that, on the customer side that I'm visiting, the traffic is not making it to the other side of the vpn. The customer doesn't have a reliable way to determine "what" the problem is. So I'm going to take a packet capture on the public side of the firewall to see if I can tell anything interesting.
Notice the source below. You shouldn't see the private address as the source address, but you do. I am expecting to see a public address (my peer) as the source and a public address (their peer) as the destination. I know this because of where I'm placing my packet capture. Again, keep packet captures as a integral part of your troubleshooting capabilities.

Thursday, May 21, 2015

Have you guys seen the newer Brocade 7250 and 7450 switches? They are looking pretty decent in the performance spec area. Its looking to me like I will be replacing the 64XX series access switches with these guys when appropriate. Don't get me wrong, I'm not sad with the 6450s.
Take a look at the backplane and forwarding specs here below. These are pretty good for access closet switches. I think I personally will be preferring the 7450s over the 7250s. But the 7250s still look really good for areas you need POE in the closets. I think the only one I might try to stay away from is the 7250-24G, but still its better than the Cisco 3850 24 port series when it comes to performance.

Wednesday, May 20, 2015

There are numerous terms for, what I call, the encryption ACL for a VPN. Cisco calls it "interesting traffic". Check Point calls is an "encryption domain". Im sure the other vendors have their own words for it as well. So what is it and what does it do?
We are taught that this is what defines the traffic that is to go across the VPN. For the sake of this conversation, Im going to be talking about remote-access, not site to site VPNs. I can do site to site VPNs in another post. But I think its important for you to know what actually happens when you configure this. Not on the firewall, but on the remote end. The client side.
You see, you have to define what is allowed across the VPN. Although it is for the firewalls benefit, its also for the client side. How does the client know what is allowed. Afterall, you dont configure anything on the client side when it comes to "allowed" or "denied" traffic, right?
So, here is the thing. When you configure your ACL for encryption, you are also telling the client side what the routing table, on the client side, needs to look like. In fact, you are modifying the routing table on the client pc, with this ACL. It literally serves two purposes (for firewall and for client). So, you all know I like proof, so here is the proof.
First, lets look at two ACLs. This is on a Cisco firewall.
Here is the NAT ACL. I do have it set correctly, because in this case, its a nonat situation. And, it DOES have to be configured correctly for the VPN to work, if you are not NAT'ing.access-list nonat extended permit ip any 10.10.12.0 255.255.255.0

Notice its nothing special. Just what I have on my laptop when all is normal. Now, lets VPN into the ASA. The one where you see the ACLs above. Notice below, once I VPN'ed in, the highlighted routes are what is added to my routing table. The one I want you to notice though is the extra default route that was added. Now, I have two default routes: the one that is my own default gateway, and the one that the ASA put on my pc with the ACL named "remote_access".

Now, remember, I want to get to the 10.255.16.X network. But, you dont see it here, except in the default route (which I have two). Let me ping the address I want to get to, to verify I cant get to it:C:\Users\skillen>ping 10.255.16.7Pinging 10.255.16.7 with 32 bytes of data:Request timed out.Request timed out.Request timed out.Request timed out.Ping statistics for 10.255.16.7: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Lets delete that extra default route out (the one the ASA put in place). Two default routes is causing me problems, so Im going to delete it out.C:\Users\skillen>route delete 0.0.0.0 mask 0.0.0.0 10.10.12.1 OK!

Notice in the above "route print" on the remote-access client, the default route that the ASA put in is gone. I took it out with the route delete command in a DOS prompt. Im still connected though to the ASA via the Cisco VPN client.

Now, lets add our own route in a DOS prompt on the remote-access client. We are going to add in the 10.255.16.X network, so that we can get across the VPN to the destination I really want to get to. Our default gateway for that will be the IP address of the ASA (10.10.12.1).

Notice above, the highlighted new route on my laptop for the 10.255.16.X network. Its in place and pointed to the ASA. Keep in mind, what I just put in does still fall under the "remote_access" ACL (meaning the source of "10.255.16.X" is covered under "any"). Now, lets ping that IP address of 10.255.16.7 now.

C:\Users\skillen>ping 10.255.16.7

Pinging 10.255.16.7 with 32 bytes of data:

Reply from 10.255.16.7: bytes=32 time=57ms TTL=63

Reply from 10.255.16.7: bytes=32 time=98ms TTL=63

Reply from 10.255.16.7: bytes=32 time=56ms TTL=63

Reply from 10.255.16.7: bytes=32 time=51ms TTL=63

Ping statistics for 10.255.16.7:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 51ms, Maximum = 98ms, Average = 65ms

Now we are in good shape. You can do this route modification on your laptop as long as the destination falls under the same range as the source in the encryption ACL. Its rare that you will ever want to modify this. However, I have, in times past, needed to do so to get to what I wanted to. Thankfully, you do still have some control.

Monday, May 18, 2015

Cisco has made it pretty easy to do upgrades. In this example, I'm doing a minor upgrade from 8.5 to 8.5.1-17900, so that I can do a restore from the production backup I took. You have to go into OS Administration, then choose software install/upgrades. Its pretty easy from there. You just get your SFTP server going, put the ISO file in the correct directory, and do the upgrade.

Sunday, May 17, 2015

So Christ has now become the High Priest over all the good things that have come. He has entered that greater, more perfect Tabernacle in heaven, which was not made by human hands and is not part of this created world. With his own blood—not the blood of goats and calves—he entered the Most Holy Place once for all time and secured our redemption forever.

Under the old system, the blood of goats and bulls and the ashes of a young cow could cleanse people’s bodies from ceremonial impurity. Just think how much more the blood of Christ will purify our consciences from sinful deeds so that we can worship the living God. For by the power of the eternal Spirit, Christ offered himself to God as a perfect sacrifice for our sins. That is why he is the one who mediates a new covenant between God and people, so that all who are called can receive the eternal inheritance God has promised them. For Christ died to set them free from the penalty of the sins they had committed under that first covenant.(Hebrews 9:11-15)

Thursday, May 14, 2015

Today, Brad Moore shares with us what it's like to have a good company culture. He writes a really good technical blog @ showconfig.net, which is listed on my IT blogs page. Check his blog out! Thanks Brad. ~~Shane Killen.

What does working for a company with good culture feel like? It feels great, let me tell you. How do you define an excellent culture? That’s not as easy as you might think, as each worker may have a different definition of why they like working for a good company. However, I have found that good companies tend to have the following traits…

Communication – As Shane already explained, communication (whether done well or poorly) can make or break a work environment. The last several companies I’ve worked for all did a great job of communicating…whether it was positive news or negative, we workers always knew what was going on.

Family – When working at a good company, you feel like a family. Case in point…I’ve been working at my current company for 13 years now. Back in 2004, my wife passed away due to cancer. She had been in the ICU for over a month, and I had to spend a lot of time at the hospital and at home taking care of our kids. I worked when I could, but it wasn’t a lot…perhaps half a day, sometimes none. I had only been at the company for two years at that time, so I didn’t have a lot of vacation or sick time, so I quickly used it all up. When I finally came back to work full time, I found out I still had a week of vacation and a couple days of sick time on the books, yet my paycheck never changed. Family takes care of family.

Fun – Yes, you can have fun at work. And a good culture not only allows for that, but encourages it. In fact, my IT department just attended a local baseball game several weeks ago and had a great time. We joke with each other, kid each other…and we all work well together.

Training – A good company wants their employees to continuously grow and learn, and become better. It helps both the company and the employee.

Protection – What do I mean by that? Think of a mother hen protecting her young. I was Senior Network Engineer at a previous company, and if my network went down, the company would lose about $250,000 in profit per hour. (During the Christmas season that hourly rate was over $1 million dollars of profit!!) Talk about pressure. However, my boss protected me from all of the upper managers…they were not allowed to call me at all. Every 30 minutes, she would call me and I would give her a quick update and projected ETA. Otherwise, I was left in peace to work the problem and get the network back up. That meant a lot to me…still does.

Accountability – This can cut both ways, but all good companies must hold every employee accountable. What separates a good company from a bad one is “fairness”. Accountability, if applied fairly for all, is a cornerstone of a good company. No favorites…everyone treated the same. In the long run, this will result in a strong and productive team…and in today’s economy, that is a powerful advantage.

Wednesday, May 13, 2015

So what is it, when you have a site to site vpn between a Check Point and Cisco firewall, its sometimes near impossible to get phase 2 combinations of encryption and hash higher than 3DES/MD5 to work out. I have seen this often in the past. I go with AES-256 and SHA1. But for some reason, I get very unpredictable results. That might mean I can ping across one minute, but the next I cant. It has also meant that I can one way traffic. The thing is, that when I change to 3DES/MD5, the vpn works perfectly and consistently. So why is that?
I dont know the answer right now, but Ill certainly be looking into it. I dont want to use 3DES/MD5. I prefer to go higher.

Tuesday, May 12, 2015

I have seen and heard, on more than a few occasions, where employees feel "unimportant" or "not valued" when management refuses to communicate with them. I keep hearing the same common thing: "When I call my 'manager', they never answer and they never call back". I also hear the same about text messaging. Every time I hear this, I just dont get it. Why would a manager just not have the desire to make a 60 second phone call OR a 15 second text message??? Its beyond me, but I can tell you, it takes a toll on company morale, which leads to bad company culture.

Monday, May 11, 2015

I mean the download, not necessarily that actual application itself. I keep finding that the freeware things I like using so much keeps getting bought by some company, only to make you pay for it. I hate that. I recently had one program I really liked that used to be free. Now, someone wants to make money off of it and, lets face it, I don't want to pay for it. I'm just saying that if you like something that is free, store the freeware install somewhere where you can get to it once someone buys it and then makes you pay for it. I know that if you are IT, you know what I'm talking about.

Monday, May 4, 2015

Its interesting to watch a call fail. Even more interesting, you can see the dial-peers of the CUBE in action when you have the preference command for dial-peers that match a destination pattern. In this example, you have two CUCMs (publisher and subscriber) and both end up not being able to take the call. Its interesting to see the CUBE send to both though, indicating that it tried to send the packets (the call) to the second CUCM when the first one failed.

Saturday, May 2, 2015

Friday, May 1, 2015

Part 2 ~ of a series on company culture.
So how do you find out about the company culture of a business? It may not be important to you, but I think to some people, it might be. I think the older I get, the more important it is to me. So, I started a list of questions that I think I wouldn't mind asking, that might give you an idea of the culture of the company:
1. "What time do you normally come in to work and leave for the day?" (Are they flexible?)
2. "What are the busiest times of year, and what are those times like?" (Really, what are the expectations of busy/stressful times)
3. "What kind of person fits in well here and what type of person isn't a strong fit?" (Listen if they describe you as someone that doesn't fit well. Be honest with yourself as well. If you don't fit, don't keep trying for it. You will be miserable.)
4. "If you could change one thing about the culture here, what would it be?" (Listen for clues for something you might not like.)
5. "What do you wish you knew about working at this company before starting work here?" (Again, listen.)
6. "How long do employees typically stay at the company?" (Verify this on LinkedIn. Do they have a high turnover rate?)
7. "Does the company invest in technical training for employees? If so, how much per person, per year?"

You get the idea. Whatever is important to you, ask. You shouldn't be ding'ed for asking things that concern you. If you are, then you probably didn't want to work there anyway.